One reality of the modern Internet-connected world is that the storage and transfer of sensitive and secure electronic data is potentially vulnerable to data breaches. Further, as electronic systems, such as point of sales (“POS”) systems, become more complex, and as hackers become more sophisticated, security concerns are continually increasing.
In the early days of electronic transactions, dedicated magnetic card readers would scan unencrypted sensitive data on a credit card and transfer it to a transaction service for completion of the transaction. These communications were typically made over a dial-up connection and required basic encryption in the reader device in order to maintain security of the packet.
Over time, the reader devices have become more advanced, often with Internet connections and data input ports that enable malware to infect POS terminals. Further, as more and more merchants have moved to transfer data over the Internet, additional security features have been developed.
Most notably, “tokenization” is a means for replacing sensitive data with a “token” of data that may be non-decryptable or non-detokenizable by the merchant or other tokenization users (e.g. because they require third party decryption). Merchants, for example, might not ever store sensitive data themselves, thus enhancing data security.
However, a problem arises when merchants or other parties wish to involve third-party services that require access to sensitive data. For example, a merchant may wish to enable third-party fraud protections requiring access to account numbers of their customers not stored in merchant systems. A solution is needed that will preserve risk reduction, enable a cost-effective architecture, and that does not dilute the original value proposition.